.png)
4 months ago
53 BOOK THIS SPACE FOR AD
ARTICLE AD
Discovering your first Common Vulnerabilities and Exposures (CVE) can be a thrilling and rewarding experience, especially for those venturing into the field of cybersecurity. In just one month, I managed to find 10 CVEs, and I’m excited to share the steps I followed to achieve this milestone. This blog will outline the process I used, providing you with a roadmap to uncovering your own CVEs. By following these steps, you’ll be equipped with the knowledge and tools needed to make your mark in the cybersecurity community.
1. Choosing the Right target:
All the projects you will work on should be free and open-source projects available on GitHub. This ensures you have access to the source code for your analysis. Selecting a target can be frustrating initially, so it’s essential to pick a specific topic or area to focus on during your hunting period. For example, you might choose a CRM system. Next, select a programming language you are comfortable with, such as PHP. Then, check if the vendor has released updates or versions for that project.
For the sake of this blog post, we will choose the ChurchCRM vendor as our target after filtering for CRM systems and selecting PHP as our preferred programming language.
2. Navigate through the project:
When exploring the vendor’s GitHub page, you might discover a demo of their project.
It’s essential to confirm that this demo represents the latest version. If a demo is not available, you can download the project and run it locally. In our scenario, the vendor does offer a demo, and we’ve confirmed that it is indeed the most recent version.
3. Analyzing the source code using snyk:
Next, use Snyk to analyze the source code which is a platform that allows you to scan your code for vulnerabilities. Since we have access to the repository, we can thoroughly analyze the entire codebase to identify any issues.
4. Spot the security issues in the source code:
As shown in the following screenshot, Snyk has identified a stored cross-site scripting (XSS) vulnerability.
However, we need to verify this finding and attempt to reproduce the attack. Snyk can sometimes produce false positives, so it’s crucial to manually check and confirm whether the vulnerability truly exists.
5. Trying to confirm the issue:
As shown in the following screenshot, Snyk has identified a stored cross-site scripting (XSS) vulnerability. However, we need to verify this finding and attempt to reproduce the attack. Snyk can sometimes produce false positives, so it’s crucial to manually check and confirm whether the vulnerability truly exists.
6. Reporting and requesting a CVE:
To report your first CVE to VulDB, create an account and log in to the VulDB website. Go to the vulnerability submission page and complete the form with all necessary details: a clear title, detailed description, affected products, impact assessment, proof of concept, and any available fixes. Attach supporting documents like screenshots or logs if available. Submit the form and be ready to respond to any follow-up questions from VulDB.
Once verified, your CVE will be published, and you will receive credit for the discovery, bolstering your reputation in the cybersecurity field.
To report your first CVE to VulDB, create an account and log in to the VulDB website. Go to the vulnerability submission page and complete the form with all necessary details: a clear title, detailed description, affected products, impact assessment, proof of concept, and any available fixes. Attach supporting documents like screenshots or logs if available. Submit the form and be ready to respond to any follow-up questions from VulDB. Once verified, your CVE will be published, and you will receive credit for the discovery, bolstering your reputation in the cybersecurity field.
Bengali (Bangladesh) · 
English (United States) ·